The Disconcerting Details: How Facebook Teams Up With Data Brokers to Show You Targeted Ads

Recently, we published a blog post that described how to opt out of seeing ads on Facebook targeted to you based on your offline activities. This post explained where these companies get their data, what information they share with Facebook, or what this means for your privacy.

So get ready for the nitty-gritty details: who has your information, how they get it, and what they do with it. It’s a lot of information, so we’ve organized it into an FAQ for convenience.

Data brokers are companies that trade in information on people – names, addresses, phone numbers, details of shopping habits, and personal data such as whether someone owns cats or is divorced. This information comes from easily accessible public data (such as data from the phone book) as well as from less accessible sources (such as when the DMV sells information like your name, address and the type of car you own). As Natasha Singer of the New York Times described in her portrait of data broker Acxiom last year, “If you are an American adult, the odds are that it knows things like your age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams — and on and on.”

Data brokers make money by selling access to this information. Some companies deal specifically with regulated businesses purposes, such as helping employers run background checks on job applicants. Other data brokers sell or rent the data for marketing purposes.

But details about where these companies get all of their data are still fuzzy. Representative Edward Markey (D-Mass), Representative Joe Barton (R-TX) and six other lawmakers sent open letters to data brokers last year demanding answers about their business practices. The letters asked the companies to "provide a list of each entity (including private sources and government agencies and offices) that has provided data from or about consumers to you."

This question calls for Acxiom to provide information that would reveal business practices that are of a highly competitive nature. Acxiom cannot provide a list of each entity that has provided data from, or about, consumers to us.

There are government surveillance relationships to both data brokers and social networking sites that users should know.

Many data brokers work closely with the government. For example, the FBI has been paying Atlanta-based Choicepoint for access to its extensive database in order to screen for terrorist threats and for other purposes. And Acxiom worked with authorities after September 11th to track down 11 of the 19 hijackers -- and then continued to provide assistance to government agencies such as the TSA.

We also know that the government looks to Facebook and other social media sites for a range of purposes, both for criminal investigations and much more. EFF and the Samuelson Law Clinic at UC Berkeley School of Law filed suit in December 2009 against a half-dozen government agencies for refusing to disclose their policies for using social networking sites. We found lots of evidence of the U.S. government using social media sites for data-gathering, including that the U.S. Citizenship and Immigration Services uses social media sites to evaluate citizenship requests, that the Internal Revenue Service is poking around social networking sites to investigate taxpayers, and that the DEA is looking at social graphs of connected friends in order to map out associates of those sought in investigations.

What information is flowing between data brokers and Facebook?

Facebook’s new ad targeting program works with four data brokers: Acxiom, Datalogix, Epsilon, and BlueKai. Companies who want to advertise on Facebook can use the data controlled by these data brokers to build custom groups and then show those groups targeted ads on Facebook.

Certain technical steps as well as Facebook policies limit how much identifiable information flows between the data brokers and Facebook. Facebook didn't explain the details in its recent note, saying only “the process is designed so that no personal information is exchanged between Facebook and marketers (or the third parties those marketers work with).” A slightly more detailed, if somewhat outdated, explanation can be found in its description of Facebook Exchange.

Here’s how it works in practice.

For Acxiom, Epsilon and Datalogix

Under the new program, a company can approach a data broker (say, Acxiom) and ask for a particular audience list (for example, a list of people interested in buying family cars). Acxiom would create a list of email addresses for everyone in their database interested in buying family cars. Acxiom then generates cryptographic hashes of those email addresses and sends those hashes to Facebook. Facebook, in turn, creates cryptographic hashes of the email address of every Facebook user. Wherever the hashes Facebook creates match the hashes Acxiom created, Facebook identifies that user as part of the target group. Any hashes that don’t match are discarded (not used to form the audience); in this way, Facebook doesn’t collect a list of email address of people who don’t have accounts on Facebook. Of course, it might be possible for Facebook to recover the email addresses using something like a brute force attack, though the company has a policy against engaging in such an attack.

The company that first requested the ad will then provide Facebook with a specific advertisement (for example, a family car advertisement) and Facebook will display the ad to the group that was created with Acxiom’s data.

Facebook will likely be able to glean certain information about the user based on what is being advertised (for example, ads showing baby clothes might indicate the individual has or is expecting young children), regardless of what the Facebook user posted on her profile. Facebook will also know whether the individual interacted with the advertisement.

Facebook then provides the company with an aggregate report about how an ad performed, which might include information about how many people clicked on it, their locations, ages, genders, etc.

While Facebook may be taking steps to limit identifiable data flowing back to the data brokers, the result for users could be eerie. Users might find themselves seeing advertisements that are based on actions they took in the real world as well as personal facts about their life and circumstances that they have been careful not to put on Facebook.

For BlueKai

For BlueKai, it’s an entirely different process. Specifically, BlueKai places tracking cookies on an individual’s computer and uses those cookies to collect information about what pages that person visits in order to show her targeted advertisements. BlueKai shouldn’t have any email addresses to share with Facebook (In its privacy policy, BlueKai says that it is working to build a comprehensive online database “with utmost attention and diligence to ensuring your anonymity and privacy.”)

In this case Facebook is using a process called cookie matching.

Here’s how it works: companies will start by approaching BlueKai and asking it to show advertisement to individuals who, for example, visited the websites of hotels in San Francisco. When an individual logs into Facebook, Facebook uses an HTML pixel web bug with an HTTP redirect to allow Facebook and BlueKai to process the tracking cookies they have set on the user’s computer. If a BlueKai tracking cookie is in place, the cookie will be used to look up what sort of sites were recently visited, what interests are associated with that account, and what kind of purchases BlueKai believes the user might be planning to make. BlueKai will then communicate to Facebook which audience to place the user in. The company that originally requested the ads will provide the advertisement to Facebook.

As before, Facebook provides the company with an aggregate report about how an ad performed, which might include information about how many people clicked on it, their locations, ages, genders, etc. And, as with the other data brokers, Facebook would likely be able to glean certain information about the user based on what is being advertised, if it decided to look.

The end result for users is still disquieting: websites you visited when you were not logged into Facebook will be used as the basis for showing you advertisements on Facebook. This will happen whether you are logged in to Facebook or not, and regardless of whether you consent to tracking or not.

What does opting out mean?

In our prior post, we emphasized that the only way for individuals to get out of this program was to opt out. This means individually opting out on each of the websites of the affiliated data brokers -- a Byzantine, multi-step process.

Note that opting out of data brokers doesn’t mean your data is actually removed from their lists. Instead, it just means your data is suppressed and (hopefully) it won’t be included in the data sent to Facebook.

Please also note that going through the complex process of opting out of Acxiom, Datalogix, and Epsilon as well as using a cookie blocking tool to ward off BlueKai’s trackers may not be enough to protect your privacy from this targeted advertising program. There is nothing to prevent Facebook from engaging another data broker in this program in the future, in which case you’d have to opt out of that data broker as well.

You could attempt to opt out of every data broker, but this is a Sisyphean task. It would be hard (or potentially impossible) to know if you managed to opt out of every single existing data broker and quite difficult to know if those data brokers ever refreshed their data sets and added you back in. Furthermore, some data brokers may not offer any form of opt out. And even if you managed to get out of all the existing data brokers, newly formed data brokers could always appear and list your information.

The Privacy Rights Clearinghouse maintains a list of several hundred data brokers on their site.

Does Facebook have standards for companies who want to work for them?

Yes, and it just made those standards public. It's good that Facebook published a note explaining some of the minimum standards data broker must achieve in order to work with Facebook, although some of those standards are inadequate. Here’s what Facebook said:

Inline Transparency. Users will be able to navigate using a dropdown menu to arrive at a page that identifies the company that was responsible for including them in the audience for the ad. Facebook will also provide a centralized list of the third parties data brokers participating in the program.

Control Over Ad Display. A user will be able to ask Facebook not to show a particular ad again, or not to show any ads from that company. Participating companies must also provide on their "About this ad" page with an opt out of future targeting by that company.

Enhanced Disclosures. Companies participating in the program are supposed to expand their public knowledge centers so users can learn how data is collected and used. This includes explaining what types of information they collect and general information on what their policies are relating to the sharing that data.

Data Access Tools. Facebook stated that each of its partners “is working todevelop” tools that will help people see audience segment information that the partner has associated with them. The tools are also supposed to let users exercise control over that data. We saw the first example of this with Acxiom, which recently announced it would allow users the ability to access information about what categories of data are associated with them and make updates to those categories.

We think this is a good start, though we’d like to see stronger standards – such as augmenting Byzantine opt out systems with respect for the clear Do-Not-Track opt out signal, and a commitment to allow users to know what data a company has on them and what other entities have received that data. But publishing public standards was a big step in the right direction. By creating a public policy for the minimum privacy standards companies must meet in order to work with it, Facebook incentivizes up-and-coming data brokers to improve their privacy practices in the hopes of one day earning a contract with Facebook.

Will Facebook show me targeted ads on sites other than Facebook?

Right now, Facebook displays ads when users are on Facebook or sometimes when users are using Zynga and logged into Facebook. However, Facebook has reserved the right to show advertisements to users when they are not on Facebook.

Furthermore, Facebook is currently ignoring the Do Not Track signal. So while we are urging individuals to turn it on, just turning it on is not yet enough to get out of this targeted advertising program.

What could Facebook be doing differently?

There’s a lot that Facebook should be doing differently when it comes to this new targeted advertisement program, such as: 1. Stopping the program or 2. Making the program opt in, instead of opt out.

Short of doing these things, Facebook has many ways it could address the privacy concerns of users. Here are a few suggestions.

1. Respect Do Not Track

Facebook and data brokers should respect user wishes by committing to respect Do Not Track. This means not tracking users who transmit the DNT:1 signal and interpreting that signal as an effective opt out of this targeted advertising program.

2. Facebook could use its market power to prompt participating data brokers to improve their practices.

While Facebook doesn’t have ultimate control over how these data brokers operate, it does have an extremely powerful role to play in the data economy. Through negotiating its contracts with data brokers, it can insist that these companies meet basic standards for respecting the privacy choices of users.

For example, Facebook could require that all data brokers it works with provide users with a way of accessing their profiles and correcting inaccuracies and should ensure that a Do-Not-Track setting in the user's browser corresponds to opting out from tracking by that data broker. Facebook could also require each data broker to commit to not using data collected during the opt out process for unrelated activities and to discard all unnecessary data once the opt out is complete.

3. Facebook and data brokers could work together to create a single opt out process.

Anyone who is trying to opt out of this new targeted advertising program will see how complex it is. Users should not need to follow a complex process in order to opt out, and Facebook should use its place in the market to push for improvements. Facebook could set an important floor that could incentivize up-and-coming data brokers to improve their privacy practices in the hopes of one day earning a contract with Facebook. Data brokers who are keen to prove themselves capable of self-regulation should welcome this major step forward for transparency and choice.

In March of 2012, the Federal Trade Commission (FTC) released its final report on digital consumer privacy issues, which included a recommendation that the data broker industry create a central website that would explain the access rights and other options (e.g. opt out choices) available to consumers and which would provide links to exercising these choices. EFF applauded this move but wished that the industry would go one step further and provide users with a single website through which users can opt out of having their data listed by any online data brokers. Now is the time to make that a reality.

Facebook could easily ask that companies who want to engage with them in showing advertisements agree to coordinate on such a hub website. Notably, the Privacy Rights Clearinghouse has already gotten things started with its Online Data Vendors List.

Unfortunately, for now, the only advice we have for users is to opt out and stay vigilant.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020. The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for...

Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that...

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement. Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those...

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s...

In back-to-back hearings last week, the House and the Senate discussed what, if anything, Congress should do about online privacy. Sounds fine—until you see who they invited. Congress should be seeking out multiple, diverse perspectives. But last week, both chambers largely invited industry advocates, eager to...

San Francisco - Technology is supposed to make our lives better, yet many big companies have products with big security and privacy holes that disrespect user control and put us all at risk. The Electronic Frontier Foundation (EFF) is launching a new project called “Fix It Already!” demanding repair...

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on...

Update, 2:35 p.m.: The coalition of groups behind Privacy for All has grown since time of publishing. This update reflects the latest count. Privacy is a right. It is past time for California to ensure that the companies using secretive practices to make money off of our personal information treat...